Drift Protocol Hacked for $285 Million: How North Korean Hackers Exploited Solana's Durable Nonces
The biggest DeFi hack of 2026 drained $285M from Solana-based Drift Protocol on April Fools Day. Elliptic links the attack to North Korean state hackers. Here's exactly what happened.
Uvin Vindula — IAMUVIN
Published 2026-04-03
$285 Million Gone in Under an Hour
On April 1, 2026 — yes, April Fools Day — Solana-based perpetual futures exchange Drift Protocol suffered the largest DeFi exploit of the year. Attackers drained $285 million in USDC, SOL, JLP, and WBTC from the protocol in less than 60 minutes. This isn't a joke — it's a masterclass in how sophisticated state-sponsored hackers exploit seemingly benign blockchain features.
I've been warning the Sri Lankan crypto community about DeFi security risks for years. This hack proves exactly why you need to understand what you're putting your money into before chasing yield.
How the Attack Worked
The attacker exploited a Solana-specific feature called durable nonces — a mechanism designed to let users pre-sign transactions for later execution. Here's the attack flow:
- Social engineering: The attacker gained access to 2 of Drift's 5-member Security Council multisig signers through misleading approval requests.
- Pre-signed transactions: Using durable nonces, the attacker pre-signed malicious transactions that looked like routine operations.
- Admin takeover: With just 2 out of 5 approvals, the attacker seized administrative control of the protocol.
- Rapid drain: Within minutes, $285M was siphoned across multiple wallets.
The North Korea Connection
Blockchain analytics firm Elliptic flagged the exploit as likely linked to North Korean state-sponsored hackers (DPRK). This follows the pattern of the Lazarus Group, which has stolen billions from crypto protocols to fund weapons programs. The on-chain movement patterns, mixing techniques, and speed of execution all match known DPRK signatures.
Collateral Damage Across Solana
Drift's TVL crashed from $550 million to under $300 million in less than an hour. But the damage didn't stop there — 12+ Solana DeFi protocols experienced significant spillover effects as liquidity evaporated and users rushed to withdraw. The DRIFT token itself plunged over 40% within hours.
What This Means for You in Sri Lanka
If you're using DeFi protocols — on any chain — this hack should be a wake-up call:
- Multisig isn't magic: A 3-of-5 multisig is only as secure as its weakest signers. Social engineering bypasses cryptographic security.
- Understand the chain: Solana's durable nonces are a convenience feature that became an attack vector. Every chain has unique risks.
- Not your keys, not your coins: If your funds are in a DeFi protocol, they're at the mercy of that protocol's security. Self-custody Bitcoin in a hardware wallet remains the safest option.
- State actors are in this game: You're not just competing against random hackers. Nation-states with unlimited resources are targeting DeFi.
The Bigger Picture
This is the second-largest hack ever recorded on Solana and the biggest crypto exploit of 2026 so far. It reinforces what I've been saying: Bitcoin's simplicity is a feature, not a bug. No smart contracts means no smart contract exploits. No admin keys means no admin key compromises.
Stay safe out there. If you're exploring DeFi, start with our security guides and never invest more than you can afford to lose.
By Uvin Vindula — IAMUVIN
Sri Lanka's leading Bitcoin educator. Author of "The Rise of Bitcoin".
Learn more →Related Articles
The Bitcoin Brief: LK
Weekly Bitcoin insights, market analysis, and Sri Lanka crypto news. Join 1,000+ readers.
Unsubscribe anytime · Educational content only